[Freeipa-users] KPasswd TCP issues
Petr Spacek
pspacek at redhat.com
Wed Feb 20 08:32:57 UTC 2013
On 19.2.2013 23:29, ninibaba at worldd.org wrote:
> >
> >
> >
> >> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninibaba at worldd.org
> > wrote:
> >
> >>> I used IPA from the CentOS 6 repositories and I am having an
> > issue I
> >
> >>> can't seem to solve. ?I installed a server and a client with
> > no
> >
> >>> issues, but upon Nessus scans of the server, port 464 kpasswd UDP
> > was
> >
> >>> flagged for a ping-pong DoS attack. ?With this information I
> > noticed
> >
> >>> kpasswd also listens on TCP 464 which I understand was used
> > for
> >
> >>> over-sized
> >
> >>> requests and other errors. ?I attempted to IPTABLES block UDP
> > for
> >
> >>> kerberos which resulted in kpasswd no longer functioning from
> > the
> >
> >>> client.
> >
> >>> ?Kerberos authentication defaults to TCP without issue, but no
> > matter
> >
> >>> what i cannot get the client to use TCP for kpasswd. ?Is there a
> > way
> >
> >>> to force kpasswd on the client to use TCP (i was under the
> > understanding
> >
> >>> that if UDP failed TCP would be attempted). ?I am running the
> > latest
> >
> >>> from the CentOS 6 repo's on both server and client. ?Thank
> > you!
> >
> >>
> >
> >> I just did a spot-check with udp port 464 set to REJECT on my
> > server,
> >
> >> with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting
> > an
> >
> >> ECONNREFUSED after trying to use the UDP port, and then correctly
> >
> >> falling back and opening a TCP connection.
> >
> >>
> >
> >> Do you have more information about what exactly happens when it
> > fails?
> >
> >> What does 'kpasswd' log when it's run with KRB5_TRACE set to
> > /dev/stderr
> >
> >> in its environment? Is anything logged to /var/log/kadmind.log on
> > the
> >
> >> server when you run 'kpasswd' on the client? Can you try it while
> > using
> >
> >> 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic
> > that's passed
> >
> >> between the two?
> >
> >>
> >
> >> Nalin
> >
> >>
> > �
> > /FACEPALM
> > So problem solved, I allowed all
> > the necessary ports via IPTABLES, but left the default REJECT rule in that
> > comes by default to handle blocking the UDP port for kpasswd. �The
> > default Reject rule in this case still answers with prohibited instead of
> > just a normal REJECT set for unreachable. �Problem solved.
> > �Thanks for pointing me somewhere =)
> >
> Actually i'd like to take that back now, it works fine when running kpasswd,
> but if user password is expired when SSH to client, during the reset it only
> tried UDP same if issuing passwd command as well.
I would recommend to completely remove SRV records for kpasswd over UDP (in
case you blocked kpasswd over UDP for all clients).
# ipa dnsrecord-del example.com _kpasswd._udp
This should prevent clients from even trying UDP.
Don't forget to DNS amplification attacks if you are paranoid :-)
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list